I fully support the idea that HTTPS should become the default for apt repos.
From what I gather, the open question is how best to handle auto-apt-proxy
configuration. There seems to be a number of reasonable proposals:
* Make auto-apt-proxy set "Acquire::https::Verify-Peer false;"
* automate setting http at install time using preseed with auto-apt-proxy
asking this as a debconf question.
* Users can always later edit the sources.list. In the context of a BSP or
DebConf, that is a very reasonable thing to ask.
auto-apt-proxy sounds like a nice feature, but it also adds security risks. We
also need to consider that. Users should get best practice security without
thinking about it at all. That's HTTPS these days, despite its imperfections.
Not defaulting to HTTPS means people have to be aware that HTTP is the default,
then consider using HTTPS. We should of course make it as easy as possible to
use caching proxies, that also comes with a responsibility in making the sure
aware that it adds small but present security risks. So a debconf question in
auto-apt-proxy seems like a good place for that.
For those who think that apt's GPG verification is enough, consider these CVEs:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1829
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3587
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1252
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0501
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3462
For more on this whole topic, I wrote up a blog post based on my previous
research and these ongoing discussions:
https://guardianproject.info/2021/12/08/debian-over-https/
